[Xen-users] OT: Network Security

["Jonathan Tripathy" <jonnyt@xxxxxxxxxxx>]

Hi Everyone,

 

I've labeled this as Off-Topic as it's not really directly related to Xen, however I know the folk here are very experienced and helpful and my solution is going to be implemented on Xen. Please bear with me.

 

I'm trying to decide where to put my web server and DB server in my network. My current idea is to have an Apache Reverse Proxy in a DMZ, and put the "real" web server in a seperate subnet, along with the DB server. So it looks like this:

 

Internet

    :

<NAT Port Fordwarding>

    :

**************************************

DMZ: Reverse Proxy Server (which proxies to "real" web server)

**************************************

    :

    :

    :

********************************************

Seperate Subnet: "Real" Web server and Database Server

********************************************

 

I'm in a bit of a debate with some people. Since the whole setup above will be on a single Xen box, and since I'm using filtering on my Dom0 bridge, my argument is that seperating into different subnets is irrelevant, since I'm able to tightly restrict communication between hosts on the same subnet (My current rules don't even allow IP or MAC spoofing). Some people have told me to put both reverse proxy and "real" web server in DMZ, and put DB on its own subnet.

 

Woudn't it be just as secure to put everything on the same subnet, and make use of my Dom0 filtering bridge to filter communication between guests? Or is there some "magicness" that separating into different subnets has?

 

Thanks

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users